GNU bug report logs - #31935
2 crashes in diffutills commit version 576645c

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Hongxu Chen <leftcopy.chx <at> gmail.com>
Subject: bug#31935: closed (Re: [bug-diffutils] bug#31935: bug#31935:
 bug#31935: 2 crashes in diffutills commit version 576645c)
Date: Sat, 29 Dec 2018 07:16:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#31935: 2 crashes in diffutills commit version 576645c

which was filed against the diffutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 31935 <at> debbugs.gnu.org.

-- 
31935: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=31935
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Jim Meyering <jim <at> meyering.net>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: 31935-done <at> debbugs.gnu.org, Hongxu Chen <leftcopy.chx <at> gmail.com>
Subject: Re: [bug-diffutils] bug#31935: bug#31935: bug#31935: 2 crashes in
 diffutills commit version 576645c
Date: Fri, 28 Dec 2018 23:15:33 -0800

[Message part 3 (text/plain, inline)]

On Fri, Dec 28, 2018 at 9:20 PM Jim Meyering <jim <at> meyering.net> wrote:
>
> On Fri, Dec 28, 2018 at 7:11 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> >
> > Jim Meyering wrote:
> > > There are still numerous unguarded [-1] references, so this updated
> > > patch is doubtless still incomplete:
> >
> > The real bug was elsewhere, I think. I installed the attached patch. This patch
> > lacks your test case, which didn't work for me because there is no
> > require_valgrind_ in diffutils. Is require_valgrind_ from coreutils or from some
> > other location?
>
> Thanks. Nice patch.
> I've pushed the two test-related patches.

I noticed that the new test would fail when built with ASAN, so will push this:

[umr-test-vs-asan.diff (application/octet-stream, attachment)]

[Message part 5 (message/rfc822, inline)]

From: Hongxu Chen <leftcopy.chx <at> gmail.com>
To: bug-diffutils <at> gnu.org
Subject: 2 crashes in diffutills commit version 576645c
Date: Fri, 22 Jun 2018 14:49:47 +0800

[Message part 6 (text/plain, inline)]

Hello,

    We found with our fuzzer 2 crashes on diffutils version 576645c: one is
a heap-buffer-overflow at util.c:1249, another is an invalid read resulting
from `output_1_line' at util.c:1274.
    The executing command is: `./diff -a --strip-trailing-cr $file
add.wasm` where $file is the poc file (I attached them as  *.input.txt);
"add.wasm" is also attached however it seems that content of the comparison
file is not important.

    The Address Sanitizer outputs (attached as "*.err.SIG06") are:

    =================================================================
==8310==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000000ff at pc 0x00000055108a bp 0x7ffdc5af8650 sp 0x7ffdc5af8648
READ of size 1 at 0x6210000000ff thread T0
    #0 0x551089 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44
    #1 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #2 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #3 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #4 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #5 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #6 0x7f7a0e14fb96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #7 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

0x6210000000ff is located 1 bytes to the left of 4096-byte region
[0x621000000100,0x621000001100)
allocated by thread T0 here:
    #0 0x4d2d60 in malloc
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x4d2d60)
    #1 0x583120 in xmalloc
/home/hongxu/FOT/diffutils-fuzz/lib/xmalloc.c:41:13

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:44 in print_1_line_nl
Shadow bytes around the buggy address:
  0x0c427fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c427fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8310==ABORTING

and:

ASAN:DEADLYSIGNAL
=================================================================
==8313==ERROR: AddressSanitizer: SEGV on unknown address 0x6210000100d4 (pc
0x7f367ca57c40 bp 0x000000000400 sp 0x7ffeebd7e358 T0)
==8313==The signal is caused by a READ memory access.
    #0 0x7f367ca57c3f
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
    #1 0x7f367c954993 in _IO_file_xsputn
/build/glibc-OTsEL5/glibc-2.27/libio/fileops.c:1258
    #2 0x7f367c95351f in fwrite_unlocked
/build/glibc-OTsEL5/glibc-2.27/libio/iofwrite_u.c:43
    #3 0x551dc4 in output_1_line
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1274:28
    #4 0x550d24 in print_1_line_nl
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1249:3
    #5 0x544366 in print_normal_hunk
/home/hongxu/FOT/diffutils-fuzz/src/normal.c:66:11
    #6 0x550883 in print_script
/home/hongxu/FOT/diffutils-fuzz/src/util.c:1195:7
    #7 0x51351f in diff_2_files
/home/hongxu/FOT/diffutils-fuzz/src/analyze.c:665:5
    #8 0x5297a7 in compare_files
/home/hongxu/FOT/diffutils-fuzz/src/diff.c:1434:11
    #9 0x52546a in main /home/hongxu/FOT/diffutils-fuzz/src/diff.c:800:18
    #10 0x7f367c8eab96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d709 in _start
(/home/hongxu/FOT/diffutils-fuzz/install/bin/diff+0x41d709)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370

==8313==ABORTING

glibc version is 2.27 and it's a Ubuntu 18.04 LTS (Linux C10
4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64
x86_64 GNU/Linux) machine.


Best Regards,
Hongxu

[Message part 7 (text/html, inline)]

[hbo_util.c:1249_1.input.txt (text/plain, attachment)]

[hbo_util.c:1249_2.input.txt (text/plain, attachment)]

[hbo_util.c:1249_2.err.SIG06 (application/octet-stream, attachment)]

[hbo_util.c:1249_1.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_1.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_1.input.txt (text/plain, attachment)]

[read_util.c:1274:28_2.err.SIG06 (application/octet-stream, attachment)]

[read_util.c:1274:28_2.input.txt (text/plain, attachment)]

[add.wasm (application/octet-stream, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.